By Eric Ooi, Director of Security and Research
In part one of this two-part series on trusting zero trust, we concluded that a robust monitoring program – as recommended by the Cybersecurity and Infrastructure Security Agency (CISA) – is a necessary foundation for learning to trust your zero trust architecture.
But, what does a “zero trust monitoring” program look like?
Verifying Controls, Detecting Threats, and Monitoring Assets
You may have implemented a secure access policy, but is it truly enforcing multi-factor authentication and blocking insecure protocols? Monitoring can reveal what controls aren’t functioning as intended and enable you to course correct. Monitoring can also identify threats that may not surface through traditional alerting, enabling investigations into suspicious or malicious activities. The collected data is useful for deep dives into security incidents, troubleshooting, and operational monitoring.
Another critical aspect of monitoring is asset prioritization. With a detailed and accurate asset inventory, you can assign criticality to each asset and more effectively prioritize your efforts based on budget and team size.
Once your logs are set up, the most efficient way to process this data is to send those logs to a security information and event management (SIEM) platform that can centralize the collection, correlation, and contextualization of all your disparate logs.
A SIEM helps you quickly identify and respond to suspicious behavior by providing a single system from which to run queries and monitor. With the amount of logging and telemetry generated even in small networks, SIEMs are increasingly essential for any robust zero trust monitoring program.
Finally, you’ll want to enhance your monitoring capabilities with threat intelligence. You’ll likely have access to a general form of threat intelligence with your network and security infrastructure, including firewalls and endpoint protection platforms. As you mature your zero trust monitoring program, the goal is to use threat intelligence that is specific for your industry or, ideally, your organization.
Organizations of any size can benefit from data science and analytics tools that digest and investigate publicly available information and open-source intelligence. More sophisticated programs might set up a dedicated honeypot network masquerading as critical infrastructure to gather organization-specific intelligence.
Anytime you identify malicious or suspicious activity on your networks, the artifacts of the subsequent investigation, including IPs, hashes, URLs, and domains, are forms of threat intelligence. Feed these back into your SIEM to identify similar malicious activity in the future.
Starting From Zero
Implementing an effective zero trust monitoring program doesn’t have to break the bank. There are cost-effective solutions available for every aspect of a zero trust monitoring program. As you mature your program, you can scale up your monitoring as needed. It’s also important to staff a team with strong technical backgrounds and a solid understanding of your business and industry to get the most out of your platforms.
The ECS Difference
Building a zero trust monitoring program on your own can be overwhelming. That’s where ECS comes in. If you’re ready to start trusting zero trust, we will assess your organization’s zero trust architecture, identify gaps, and deliver solutions that close them.